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(54) VPN system in mobile IP network, and method of setting VPN 



(57) Linked v^^ith a position registration procedure in 
a mobile I P, the invention provides a VPN setting service 
using an IP Sec. tunnel between optional terminals with- 
out requiring these temninals to have a specific VPN 
function. This service is provided by a mobile terminah 
authentication servers, a VPN database, and network 
apparatuses. A home authentication server extracts 
from the VPN database the VPN infonmation of a user 
who has requested the authentication at the time of 
making a position registration request from the mobile 



terminal. The home authentication server then posts the 
VPN information to each network apparatus using a pre- 
detemiined position registration message and an au- 
thentication response message. Based on the posted 
VPN information, the network apparatuses set a VPN 
path by the IP Sec. to between a home network appa- 
ratus and an external network apparatus, between the 
home network apparatus and a predetermined network 
apparatus, and/or the external network apparatus and 
the predetennined network apparatus, respectively. 
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Description 

BACKGROUND OF THE INVENTION 
Field of the invention 

[0001] In recent years, along the wide distribution of 
the Internet, there has been an increase trend that en- 
terprises attennpl lo decrease their communication costs 
by replacing their exclusive communication lines with a 
virtual path (VPN: virtual private network) on the Inter- 
net. Reinforcing the security on the Internet is essential 
in realizing electronic commercial transactions. As a 
method of realizing this requirement, attention has been 
focused on the IP Security Proloco) (hereinafter to be 
abbreviated as the IP Soc.). 

[0002] In the mean time with the full-scale introduc- 
tion of IMT-2000 near at hand the Internet environment 
has already started lo shili loward the mobile environ- 
ment The introduction of the mobile environment into 
the Internet increases the convenience of the users of 
the Internet. However this also involves an increasing 
risk of weakening the security of the Internet. Therefore, 
there has been a high demand for a provision of aframe- 
work that protects security in the mobile environment. 
[0003] In the HVIT-2000, there have also been made 
many proposals on the. system that combines the IP 
Sec. with the IP fVlobility Support (hereinafter to be re- 
ferred to as the Mobile IP) prescribed in RFC202 that is 
a basis of the core net architecture. The mobile IP (Mo- 
bile Internet Protocol) is a technique for automatically 
carrying out the IP address management and automat- 
ically transferring the communication packet to a move 
destination of a temninal when the terminal has moved 
from one IP network to another IP network. An agent 
function for executing the transfer of an address is pro- 
vided in a router so that the router can manage both the 
home address of a temninal as its "registered original 
address" and a "care-of-address" as a current address 
of the terminal. When the terminal has moved from one 
network to another network, the terminal registers a new 
care-of-address in the router of the network in which the 
home address exists. Based on a tunneling technique 
of this arrangement, it becomes possible for this temni- 
nal to receive a message sent to the terminal home ad- 
dress from a person who does not know the movements 
of the terminal. 

[0004] However, the above proposals are based on 
the assumption that the end user temriinal has the IP 
Sec. function, as these techniques do not guarantee the 
complete security on the communication path, that is, 
between the home agent and the communication termi- 
nal. According to the above proposals, all the terminals 
participating in the communications need to be 
equipped with the IP Sec. This requirement is not suffi- 
cient as a framework to protect the security in the mobile 
environment. Therefore, there is little meaning in linking 
the mobile IP with the IP Sec. 



Description of the Related Art 

[0005] Fig. 1 shows one example of a structure of a 
network to which the linkage of the mobile IP with the IP 
5 Sec, according to the existing proposals, has been ap- 
plied. 

[0006] This stnjcture employs both the mobile IP that 
has been proposed by RFC2002 as the IP architecture 
for supporting the mobile environment, and the IP Sec. 

10 as the architecture for realizing the security on the In- 
ternet. From the nature of the mobile IP, It has weak se- 
curity as compared with the norma! network. Therefore, 
various systems for reinforcing the security are em- 
ployed including the IP Sec. 

15 [0007] In the example shown in Fig. 1 , an IP Sec. tun- 
nel 6 substitutes for an IP- IP tunnel set between a mo- 
bile agent 21 (a foreign agent, FA) in a network 2 to 
which a user 1 (MN; Mobile Node) prescribed by the mo- 
bile IP has accessed and a mobile agent 31 (a home 

20 agent, HA) in a user's home network 3. In this case, it 
is necessary that VPN information to be used in the IP 
Sec. is set in advance to the mobile agents 21 and 31 
respectively. 

[0008] A dynamic provision of an IP Sec. tunnel 7 is 

25 also included in the above proposals. However, this is 
a system that depends on an automatic key exchange 
(IKE) between the mobile temninal 1 and the mobile 
agents 21 and 31 . This system also requires a separate 
provision of the IP Sec. using an automatic key ex- 

30 change (IKE) in a communication destination host 52 
(CN: Correspondent Node). In this case, it is further nec- 
essary to change the mobile IP. 
[0009] In general a VPN refers to a virtual path of a 
user provided in the Internet using the IP Sec, the 

35 MPLS, or others. A VPN has no linkage with another 
Internet technique, for example, a differentiated service 
by a user unit. As a result, the service quality guarantee 
of the VPN is carried out based on a sufficient allocation 
of network resources and a unifomn priority control, such 

40 as, for example, a simple priority control using a protocol 
number of the IP Sec. protocol as a filtering condition. 
[0010] According to the above-describe system, all 
the terminals participating in the communications need 
to be provided with the IP Sec. Therefore, there is little 

45 meaning in providing the IP Sec. service as the network. 
Further, there has been a problem that a network service 
with improved user convenience by freely combining the 
security service with the service quality guarantee can- 
not be provided to the tenninals including existing ter- 

50 minals not equipped with the IP Sec. 

SUMMARY OF THE INVENTION 

[0011] It is, therefore, an object of the present inven- 

55 tion to provide a VPN setting service that enables the 
communications in the mobile IP to be carried out by 
using a safe communication path. Linked with a position 
registration procedure in the mobile IP, it is another ob- 
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tion message and the authentication response mes- 
sage. The network apparatuses (HA, FA) set a VPN be- 
tween the HA and the FA based on the posted VPN in- 
formation. When the communication destination termi- 
nal CN exists in other network 4, the network apparatus 
(HA) further sets a VPN to the security gateway (PCN) 
accommodating the communication destination termi- 
nal assigned by the VPN intormation fronn the HA. 
[0021 ] Further, the authentication server and the net- 
work apparatuses update the VPN information cached 
to the authentication server and the network apparatus- 
es linked to the position registration request based on 
the move of the mobile temiinal 1 , into new path infor- 
mation. The authentication server and the network ap- 
paratuses further rewrite the VPN information based on 
the position infomriaiion posted by the mobile IP. As a 
result, a new IP Sec. tunnel is set dynamically between 
the new FA and the HA and between the PCN and the 
new FA, and the VPN path is automatically updated. 
Further, In order to make complete the security protec- 
tion in the data packet transfer to the FA, the IP Sec. 
tunnel is also set in the binding tunnel to the FA at the 
time of a smooth-hand-off. 

[0022] The authentication server (AAAH) of the 
present invention has a VPN database for storing the 
service quality desired by the user, the security infomna- 
tion between the security gateways, and a correspond- 
ence table between the VPN infonnation by a user unit 
consisting of the IP addresses of the communication 
destination hosts (CN) forsetting a VPN and the security 
gateway (VPNGW) for accommodating the communica- 
tion destination host, an AAAVPN control section for 
specifying a VPN setting path based on a security gate- 
way (FA) address of the access network 2 to which the 
mobile terminal set in the authentication request mes- 
sage has been connected, a security gateway address 
(HA) of the home network 3 of the mobile temninal, and 
a security gateway (PCN: Proxy CN) address for accom- 
modating the communication destination host (CN) set 
in the user correspondence VPN information and the 
communication destination host extracted from the cor- 
respondence table, and an AAA protocol processing 
section for setting the service quality and the security 
infonnation between the security gateways as a service 
profile, to the authentication response message to the 
access network and the positionregistratlon message to 
the home network. 

[0023] Further, the network apparatuses (HA, FA, 
PCN) consisting of the security gateways of the present 
invention have an MA (Mobility Agent) protocol process- 
ing section for understanding the service profile file set 
with the VPN information, the RFC2002 and other rele- 
vant expansion protocols, and an MAVPN control sec- 
tion for setting the QoS control for guaranteeing the 
service quality according to the posted service profile 
and a tunnel for guaranteeing the security between the 
security gateways. 

[0024] The MA protocol processing section in PCN al- 



so carries out a protocol processing of receiving, on be- 
half of the CN not supporting the mobile IP under the 
management, a Binding update message sent from the 
HA to this CN, and setting , on behalf of the CN , the bind- 

5 ing tunnel to the FA by using the IP Sec. tunnel, based 
on the service profile set with the VPN information post- 
ed by the Binding update message. 
[0025] When the security protection has been re- 
quested by the service profile at the time of setting the 

10 tunnel, the MAVPN control section of the network appa- 
ratus (HA) in the home network 3 of the mobile terminal 
(MN) 1 sets the IP Sec. tunnel in place of the nornfial 
IP-IP tunnel as the tunnel directed from the HA pre- 
scribed by the RFC2002 to the network apparatus (FA) 

15 in the external network 2 that is the current connection 
point of the mobile temriinal. In the mean time, when the 
security protection has been requested by the service 
profile, the MAVPN control section at the FA side sets 
the IP Sec tunnel in place of the IP-IP tunnel as the tun- 

20 nel (usually called a reverse tunnel) from the FA to the 
•HA. 

[0026] As described above, according to the present 
invention, linked with the position registration procedure 
in the mobile IP, a VPN using the IP Sec. can be set 

25 dynamically to the security gateways of the terminals 
participating in communications^ connecting to the pub- 
lic IP network. Therefore, it is possible to provide the 
VPN setting service between optional mobile terminals 
(MN) and communication destination hosts (CN) without 

30 requiring the terminals and the hosts to have a specific 
VPN function. Further, as the VPN setting service can 
be provided at the network side, the users can assign 
service quality a security level, and a path based on a 
free combination of these items by the users. 

35 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0027] The present invention will be more clearly un- 
derstood from the description as set forth below with ref- 
40 erence to the accompanying drawings. 

[0028] Fig. 1 Is a diagram showing an example of an 
application of the mobile IP plus the IP Sec. according 
to existing proposals. 

[0029] Fig. 2 is a diagram showing an example of a 
structure of a network according to the present Inven- 
tion. 

[0030] Fig. 3 is a diagram showing an example of a 
functional block structure relating to the present inven- 
tion. 

50 [0031 ] Fig. 4 is a diagram showing a first embodiment 
of the present invention. 

[0032] Fig. 5 is a diagram showing an example of a 
structure of a VPN database. 

[0033] Fig. 6 is a diagram showing an example of a 
55 detailed functional block structure of the AAA. 

[0034] Fig. 7 is a diagram showing an example of a 

structure of a VPN information cache. 

[0035] Fig. 8 is a diagram showing a CN-GW address 
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tion point of the ISP 2 having the roaming contract, in- 
cludes this registration request in an authentication re- 
quest message (AMR) (g) ), and transmits this authen- 
tication request message to AAA (AAAH) 33 of the home 
ISP 3 of the user via an AAA sever (AAAF) 23 within the 
own ISP. 

[0065] The AAAH searches the VPN database 34 by 
the NAI included in the authentication request message 
(AMR), and extracts the VPN information 35 own to this 
user. From the CN-GW address correspondence table, 
it can be known that it is not possible to dynamically set 
a VPN 10 ihe domain address of the enterprise assigned 
as the communication destination in the VPN database. 
Theroforo. the AAAH sets two VPNs Including a VPN 
boiwoon the FA and the HA and a VPN between the HA 
and the onierprise GW to a VPN information cache to 
be described later. Next, the AAAH transmits a position 
rcgisif anon request message (HAR) added with the pro- 
files ol the two VPNs, to the HA (® ). 
[0066) Fig. 6 shows an example of detailed functional 
blocks of the AAA. and Fig. 7 to Fig. 12 show examples 
of their operation. 

[0067] In Fig. 6. AAA 33 (and AAA 23) consists of an 
application server 305. a network kernel 303, and phys- 
ical network device interface 304. in addition to the AAA 
protocol control section 301, and the AAAVPN control 
section 302. both shown in Fig. 3. The AAA protocol con- 
trol section 302 consists of an AAA protocol processing 
section 311 for controlling the AAA protocol. 
[0068] The AAAVPN control section 302 consists of a 
VPN infomiatton cache 312 for caching the VPN infor- 
mation extracted from the VPN database (shown in Fig. 
5), a VPN path detennination control section 313, and 
a key generator 315. Fig. 7 shows an example of the 
VPN information cache 312. The VPN Information 
cache 312 is a set of VPN information cache instances 
1 to n. The VPN information cache 312 is searched by 
using a session ID that includes unique user own infor- 
mation in a network effective while a user is making ac- 
cess to the network. Each of the VPN information cache 
instances 1 to n consists of a session ID as a unique 
identifier, a profile number that shows a number of VPNs 
set by the user, and VPN information profiles 1 to n that 
include set Information of each VPN. 
[0069] Each of the VPN information profiles 1 to n con- 
sists of a profile number as an identifier for uniquely 
identifying a VPN. an IP address of a transmitter and an 
IP address of a destination for specifying a packet to 
which a VPN is applied, a transmitter net mask and a 
destination net mask, a TOS value to be set to the pack- 
et, a security type for showing whether the IP Sec. is to 
be set by the AH, the ESP or by only encapsulation, a 
transmitter gateway address and a destination gateway 
address that are an entrance and an exist of the IP Sec. 
tunnel referred to by the IP Sec. tunnel mode, a desti- 
nation gateway address type for showing whether a 
VPN can be set dynamically to the destination gateway 
or not, an upward SPI (Security Parameter Index) and 



a downward SPI as identifiers of the security, an upward 
ESP encryption key and a downward ESP encryption 
key, and an upward authentication key and a downward 
authentication key. 

5 [0070] The VPN path determination control section 
313 has a CN-GW address correspondence table 314. 
Fig. 8 shows an example of the CN-GW address corre- 
spondence table. The CN-GW address correspondence 
table consists of address instances 1 to n, each includ- 

10 ing a ON address/net mask, a GW address, and a GW 
type. This table is searched using the CN address/net 
mask (an enterprise dornain address) as a key. 
[0071] The application server consists of a VPN da- 
tabase 34, and a WEB application 36. The network ker- 

15 nel 303 is an operating system for controlling a transfer 
to the IP packet and a physical interface as a connection 
point to the network. The physical network device inter- 
face 304 is an interface (a hardware control driver) to a 
physical network device, and is usually a NIC card of a 

20 LAN. 

[0072] Fig. 9 to Fig. 13 show examples of a process- 
ing flow of the AAA. 

[0073] Fig. 9 shows an example of e total processing 
of the AAA. When the network kernel 303 has received 
25 a packet from the physical network interface 304, the 
network kernel 303 selects an AAA signaling packet 
based on a port number, and delivers the information of 
the received packet to the AAA protocol control section 
301 (SI 00). Fig. 10 shows an example of a processing 
30 flow of the AAA protocol processing section 311 . First, 
the AAA protocol processing section 31 1 makes a deci- 
sion on the received message based on a command 
code AVP (an attribute parameter) of the received AAA 
protocol (SI 01). When the message is the authentica- 

35 tion request message (AMR), the process proceeds to 
step SI 02. When the message is an authentication re- 
sponse message (AMA) to be described later, the proc- 
ess proceeds to step S1 03. When the message is other 
message, the process proceeds to step SI 04. 

^0 [0074] In the present example, the AAAVPN control 
section 302 Is started (SI 02). Next, the AAA protocol 
processing section 311 sets the VPN information ex- 
tracted from the VPN database 34 to the VPN informa- 
tion cache (SI 03). Then, the AAA protocol processing 
section 3 1 1 edits the con-esponding message according 
to the CN-GW correspondence table, for example, sets 
a differentiated service, and transmits a result (SI 04). 
A profile cache AVP to the effect that the VPN informa- 
tion cache has been set is set to the authentication re- 

50 sponse message (Af^A) and the position registration re- 
quest message (HAR) that are transmitted by the AAAH 
33. Fig. 11 shows a message correspondence table (a 
relationship among a transmission message, a recep- 
tion message, and a processing unit of these messages) 

55 at step S 104 shown In Fig. 10. 

[0075] Fig. 1 2 shows an example of a processing flow 
of the AAAVPN control section 302. First, the AAAVPN 
control section 302 searches the VPN database 34 by 
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the NAI of the mobile terminal, and '^^^^ ^^^^^^ 
soonding VPN information (3105). Next, the AAAVPN 
nrsection 302 starts the VPN Path ^et.— 
control section 313 {S106). When the SPl (S^unty Pa 
rameter Index) read from the VPN database 34 is a de- 
St SPl the AAAVPN control section 302 fm.shes the 
pro essi g. When the SPl read from the VPN database 
Ia is not a default SPl . the AAAVPN control sect on 302 
generates a separate key with the key generator 315 

m76] Fig. 13showsanexampleof aprocess|ngflow 
of the VPN path determination control section 313. The 
VPN path dLrrninationcontrolsectionSISextract the 

address of the VPNGW (FA) 21 at the MN 1 side from 
he request originating host address o^^^^^^^^^^;^ 
tion request message (AMR) (S109). Further, the VPN 
path determination control section 313 searches the 
CN-GW address correspondence table 314 by the CN 
address read from the VPN database 34. and reacte he 
address of the VPNGW 51 at the CN 52 side and the 
VPNGW type (8110). .w^ to 

[00771 Next, when the VPNGW type is the one to 
whk:h a VPN can be set dynamically, the process pro^ 
Teeds to step S112. When the VPNGW type .s the one 
to which a VPN cannot be set dynamically, the process 
oroceeds to step 8113. In the present example, the 
p ^Ling at step S113 is carried out. The VPN path 
Seterminatton control section 313 sets the address ° 
the HA 31 to the transmission originating GW address 
of the VPN infomiation posted to the HA 31 . and sets 
laddressoftheGW51readfromtheCN-GWaddress 

correspondence table 314 to the destination GW ad- 
dress Further, the VPN path detemiination control sec- 
tion 31 3 sets the address of the FA 21 to the transmis- 
sion originating GW address of the VPN 'nfomiation to 
be posted to the FA 21 , and sets the address o the HA 
31tothedestinationGWaddressHA3l.Then,theVPN 

path detemnination control section 313 fnishes the 
processing (sets a path to the FA, the HA and the CN), 
78 lnthemeantime,whentheVPNGWtyF^^ 

one to which a VPN can be set dynamically, the VPN 
raSirerminationcontro.section313setstheadd.^^^^ 
of the FA 21 to the destination GW address of the VPN 
infomiation posted to the HA 31 . and sets the address 
0, the GW 51 read from the CN-GW addre^ coae- 
spondence table 314 to the destination GW address^ 
Further, the VPN path detemiination control section 31 3 
sets the address of the FA 21 to the transmission ong. 
natina GW address of the VPN infomiation to be posted 
to the FA 21 , and sets the address of the GW 51 read 
from the CN-GW address correspondence table to the 
dL'nation GW address. Then, the VPN Pat^ ^ete^^ 
nation control section 31 3 finishes the Pr°<=e^!^"9 <f 
a path to between the FA and the CN (or the PCN)) 
[0079] Referring back to Fig. 4. the HA 31 caches the 
5/PN infomiation added to the position ^^gistrat^n r^ 
quest message (BAR) that has been ^--^^ ^ 
AAAH 33. and further maps an ass«ned drfferentiated 



service Thereafter, the HA 31 sets an IP Sec. tunnel (2) 
from the HA 31 to the enterprise GW 51 , and sets an IP 
Sec. tunnel (3) from the HA 31 to the FA 21 based on 
the path infomiation received. Further, the HA 31 sets 
5 the information for decoding a packet of an opposite- 
direction tunnel to an IP Sec. information table to be de- 
scribed later. As the IP Sec. tunnel (1) from the GW 51 
at the enterprise side to the HA 31 has already been 
fixed based on the initial contract setting (SLA), it is not 
10 necessary to set this IP Sec. tunnel (1) f^°'"/^^e 3 
to the enterprise GW 51 . The HA 31 transmits the pos^ 
tion registration response message (HAA) to the AAAH 
33 after finishing the position registration processing 

,5 ^801 When the AAAH 33 has received the position 
registration response message (HAA). the AAAH 33 ex- 
tracts a VPN between the FA and the HA from the VPN 
information cache 31 2 (see S1 1 3 in Fig. 1 3). The AAAH 
33 then transmits to the AAAF 23 an authentication re- 
20 sponse message (AMA) added with the VPN profile to 
set to the FA 21 <© ) ■ The AAAF 23 caches the VPN 
infomiation to within the AAAF 23 to follow the move 
within the local domain of the MN 1 . and transfers his 
VPN information to the FA 21 (reference SI 01. S103 
25 and 8104 in Fig. 10). . . , 

[0081] The FA 21 caches the VPN information added 
to the authentication response message (AM A) and fur- 
ther maps an assigned differentiated service. Thereaf- 
ter the FA 21 sets an IP Sec. tunnel (4) from the FA 21 
30 to ihe HA 31 . Further, the FA 21 sets the information for 
decoding a packet of an opposite-direction tunnel to he 
,P sec. information table. Last, the FA 21 returns the 
registration response message (Reg Rep) to the MN 1 
((3 ) As a result, the VPNs from the access point of the 
35 MN 1 to the GW 51 of the enterprise havebeen set. Fur- 
ther as a packet of a user who has not been assigned 
by the enterpriseisnottransferred via the IP Sec. tunnel, 

it is possible to prevent an unauthorized user from mak- 
ing an illegal access to the enterprise. It is also possible 
40 to avoid making a troublesome contract with a plurality 
of ISPs and SLAs. 

[00821 Fig 1 4 shows detailed f unctio nal blocks of the 
MA (FA, HA. PCN), and Fig. 15 to Fig. 24 show exam- 
pies of operations. 
45 [0083] in Fig. 1 4, each network apparatus of the FA 
the HA and the PCN consists of an MA protocol contro^ 
section 321. an MAVPN control section 322. a networt. 
kernel 323. and a physical network device interface 324. 
The MA protocol control section 321 consists of an AAA 
SO protocol processing section 331 for controlling the AAA 
protocol, and a mobile IP protocol processing section 
L for controlling the mobile IP The MAVPN control 
section 322 consists of a VPN information cache 333 for 
caching the VPN infomiation posted by the AAA or the 
55 MIP protocol, a QoS control section 334. and a tunnel 
control section 335. . 
[0084] The VPN information cache 333 has a similar 
structure to that explained with reference to Fig. 7. The 
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QoS control section 334 sets to the network kernel 323 
filter, information consisting of a TOS value set to the 
VPN Information cache 333, a transmission originating 
address and a destination address tor identifying a 
packet that marks the TOS value, and their net masks. 
The tunnel control section 335 rewrites an output device 
of a route table 337 to a virtual device in a destination 
IP address that has been set in the VPN Information 
cache 333. Further, the tunnel control section 335 sets 
to an IP Sec. information table 336, a transmission orig- 
inating IP address and a destination IP address, their 
net masks, a security type, a transmission originating 
gateway address and a destination gateway address, 
an upward SPI and a downward SPI as Identifiers of the 
security, an upward ESP encryption key and a down- 
ward ESP encryption key, and an ESP authentication 
key. The tunnel control section 335 encrypts and encap- 
sulates a packet output from the network kernel 323 to 
the virtual device, by referring to the IP Sec. information 
table 336. 

[0085] Fig. 15 shows an example of the IP Sec. Infor- 
mation table 333. The IP Sec. infonnation table consists 
of IP Sec. Information, ESP information, and.tunnel in- 
formation. The IP Sec. information is a collection of IP 
Sec. Information instances, and is specified by a set of 
a transmission originating address and a destination ad- 
dress. Each IP Sec. infonnation instance consists of a 
transmission originating address/net mask, a destina- 
tion address/net mask, an actual destination address as 
an actual transfer destination of a packet, a tunnel infor- 
mation identifier to be applied to this packet, and an ESP 
infonnation identifier to be applied to this packet. The 
ESP Infonrnation is a collection of ESP Infonnation in- 
stances. This ESP information consists of an ESP Iden- 
tifier for uniquely identifying ESP infonnation, an encryp- 
tion method, a direction, an AH authentication key 
length, an ESP authentication key lengthy an ESP en- 
cryption key length, an AH authentication key, an ESP 
authentication key, and an ESP encryption key. The tun- 
nel information is a collection of tunnel information in- 
stances. The tunnel Information consists of a tunnel 
identifier for uniquely identifying tunnel infonrnation, an 
encapsulation method, a direction, and a transmission 
originating address and a destination address that be- 
come an entrance and an exit of a tunnel. 
[0086] The network kernel 323 is an operating system 
for controlling a transfer of an IP packet and a physical 
Interface as a connection point to the network, and has 
a routing table 337 for determining a transfer route of 
the IP packet. The network kernel 323 carries out the 
encapsulation of the IP packet, the packet editing, and 
the control of packet transmission queue. These func- 
tions depend on the operating system, and therefore, 
they will not be explained in the present invention. 
[0087] Fig. 1 6 shows an example of the routing table 
337. The general routing table consists of a destination 
address, a gateway address, a net mask, a metric, an 
exit interface, and other control auxiliary Information. A 



route is determined based on the destination address 
and the metric. In the present invention, a network ker- 
nel that does not depend on a structure of the route table 
but can set a virtual device to an output destination will 
5 be explained in detail below. The network kernel has a 
function of decapsulating an encapsulated packet upon 
receiving this packet. When a packet after the decapsu- 
lation Includes the ESP header, the network kernel has 
a function of decoding the encrypted packet by referring 
^0 to the ESP infonnation held in the tunnel control section 
335. The physical network device interface 324 is an in- 
terface (a hard control driver) to a physical network de- 
vice. The physical network device is a package or an 
NIC card of, for example, a LAN, an ISDN, an ATM, etc. 

^5 [0088] Fig. 1 7 to Fig. 24 show examples of a process- 
ing flow of the MA. The MA processing according to the 
present Invention will be explained below with reference 
to these examples of the processing flow. 
[0089] Fig. 17 shows a total processing flow of the 

20 MA, Upon receiving a packet from the physical network 
Interface 324, the network kernel 323 decapsulates and 
decodes the encrypted packet as briefly explained 
above, and then discriminates the received packet be- 
tween a signaling packet and a data packet (S200). The 

25 selection of a signaling packet is determined based on 
whether the packet has been received by a port number 
assigned by the MA protocol control section 321 or not. 
When the received packet is a signaling packet, the 
process proceeds to step S201 , and when the received 

30 packet is not a signaling packet, the process proceeds 
to step S203. 

[0090] When the received packet is a signaling pack- 
et, the network interface 324 delivers the infonnation of 
the received packet to the MA protocol control section 

35 321 , and then the MA protocol control section 321 car- 
ries out the AAA protocol processing 331 and the mobile 
IP protocol processing 332 (S201). Next, the MAVPN 
control section 322 is started to carry out the VPN Infor- 
mation (S202). At step S203, the network kernel 323 de- 

^0 termines the interface to the output destination of the 
received packet by referring to the routing table 337. The 
network kernel 323 edits the packet according to a fil- 
tering condition of a differentiated service set in advance 
in the kernel. When the output destination is a virtual 

45 device, the process branches to step S204. When the 
output destination Is a physical device, the packet is 
transferred to this device. 

[0091]. At step S204, the network kemel 323 delivers 
the Infonnation of the transferred packet to the MAVPN 

^0 control section 322, and the MAVPN control section 322 
canries out a tunneling and encryption of the packet 
based on the infonrnation set in advance. In the case of 
encapsulating the IP packet by the tunneling process- 
ing, the MAVPN control section 322 carries over the 

>5 TOS infonnation of the original packet. The IF packet 
that has been edited is returned to the network kernel 
323 again. Then, the network kernel 323 transfers the 
packet to a corresponding physical device by referring 
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\^ the MAprotoco. j2°3"fport number ot a re- 
tocolcontrol section 32ch^ks^^^^^^ 

celved packet. When th-sport^^^^^^^^^^ 

When th.s port number .s a port n^^^^^^^ S207 (S205). 

,P protocol, the process P^^^^ ^^^^^ 32I starts 

Atstep S206, the MA Pf°'«=°'f 331 to process the 
j;eA^protoco.prc.essmgse^o^^^^^^^^^^ 

AAA protocol (^^'^^f "f.-^f^^^its the mobile IP pro- 
protocol control section 321 extra 

ocol added to the '^'^^^'^^^^9 '0 steP S207. At 
nnation. and delivers J^,^^^^^^ 321 starts 

step S207, the MA ^I'^^^X^^^^^^ZZ^'''''^^ 
the mobile IP protocol processing 

K AAAVotocol P^:S^:^ the VPN 
AAA protocol P'^^^^^'r^',';'^ protocol, and then de- 

intom^ation from a ^^^^^.-^^^ j'^^pN information cache 
liversthisVPNinfom.a^ontoth^Vf' ^^^.^^ 

333.Next,theAAAprotocolpoces^;^ ^^^^.^^^^3^ 
3 nag on a shared memoj ,p protocol 

has been set and '^P^^^^^^^^^^^^^^ (S208). After 

processing section 332 to '^^J ^a protoco 

Snishlngthe AAAprotocolp °c^^^^^^^ ,p p,,,,col 
processing section 33 extracts 
added to the AAA ^ a position reg- 

{S209). When the received rycssag ^ ^^^^^^^^ 
Uation request message (^^^ ),^^^.^^^^^ ^^g.,,,3,,n 
processing section 331 ua 
P,3ponse message (HMUS2^° f^^ 

10094] ng-20s»^°«^„f""Sngsecti^ 
of the mobile IP protocol processing 

;;,2. the mobile IP P;;;X^° raTceived mobile IP 
rnakes a decision °';J^^^^^J'P;p°eof thereceivedmobile 
protocolmessage. Whenthetyp 

\p protocol message -s ^ reg-s^at^^ 
ess proceeds to s^^^^ia-J* ^ registration re- 
ceived mobile IP P^°*°'=°!r/'' 0 step S220. When the 
sponse, the process P;,°2t?pmtl' message is a BU 
type ot the received mob^e P pro ^^^^^,,^ge), the 
(Binding update) ora BA(B naig 
process proceeds to step S218. 

A. ,n the case of the registration request 



receivedtheregi^jlonj^^^^^^^^^ 
,,,,chestostepS2 7<S21^^^^^^^ 
IP protocol processing that has transmrt- 

;,;,rnation cache instance oUhe Mm 
. ;ed^heposiJ^.nre^2'-:rvXLmationcache • 
destination GW address ott ^^^.^^^ress. 
333 to the address po^ed b^*;^ t>y 
^00961 This specrt^'°" rjeth ^^^^.^^ 
providing an IP «fj^^°'te mobility binding and the 
,0 by providing a link >«^«f "j^^ -^he HA searches all 
VPN information cache ms^nce. Th .^.^^ 

the VPN infom^ation Projf ^J'J,",,^ destination GW 
information cache '^f^JXpU can be set, the HA 
type is one to which a dynamc information 

,5 Sits the BU --^^9^^^^^^^^^^^^^^^ of this profile, 
to the transmission ongmating ^^^^ 

and transmits this l^'^^^^^^^^cessing section 332 
S216. the mobile IP Pr°"*" ^ 3,2 and edits ttie re- 
Srts the MAVPNcontro sea^^^^^^^^ ,,3 
so ception message and "^essage correspondence 
pro^cessingMAassho^^^^^^^^^ 
table m Fig. ^t. 



35 



100951 WhentheMAthat^sre^^^^^^^^^^^^ 

Uest is the HA, '^'^^^^^^^..l^res^ ofthe regis- 
section 332 compares the care ^^^^^^.^ddress 

tration request "^^^^^^Se w't^t^ ^^^^^ c^re-oi-ad- 

^,,i, the mobility ''.'f "9 j;,, ,ther as a result of 

dresses do not -^^'^^Jf J* I'roceeds to step S214. 

the comparison, ^'f^^^^^^^^^ 

rrr;on;:r^^^^^^^ 



Bin the case of the registration response 

,09^ AtstepS220,-^^^^^^^ 
ing section 332/ef^rs to the c ^ pro- 

set in advance in the shared ^^^^^ ^^^^^ ^„ 
tocol Pr°=^«s'"9^^t° the process branches to step 
30 updating in the <^<^^^^^'';J^, updating in the cache, 
S216. When there has been n k 
fhe process branches to step S217. 

C.lnthecaseoftheBUorBA 

u « tho received message is 
10098] At Step S218, v.hen the e^eiv ^^^^ 
Se BU, the process branches to Jjj' ^^^^^^ ^^^g.^hes 
the received '"ef age is theBA 
to step S217. ^^^;^'^Z^J,on 332 receives all 
40 mobile IP Pr°'°~'P:°'!3;TdtotheCNundertheman- 
the BU messages addresseoio ^^.^ ^^^^^^ 

agement of the PCN, on disclosed 

SnbeachlevedPy^to-7J,^,^^^^^^^^ When the 
in Japanese P^tem No^ 2^^^ ^^^.^^ p^^^^,, 

45 processing MA is the PC^ , information set in 

processing s--^'°" f '/vwTnfom,ation cache 333 or 
the BU message to the VPN ^^.^ VPN info m^ation, 
substitutes the message w ^^^^ ,p p„. 

When the processing MA IS destination 

,« MAVPN ^"^^f^, 3M at 
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of the QoS control section 334. First, at step S223, the 
QoS control section 334 deletes the information of the 
differentiated service that has been set to the network 
kernel 323 based on the information of the VPN Infor- 
mation instance. Next, when the TOS value of the VPN 
infonnation instance is other than zero (0), the QoS con- 
trol section 334 branches the process to step S225. 
When the TOS value of the VPN Information instance is 
not other than zero (0), the QoS control section 334 fin- 
ishes the processing (8224). At step S225, the QoS con- 
trol section 334 sets the information of the differentiated 
service to the network kernel based on the information 
of the VPN infonnation instance (S225). 
[01 01 ] Fig. 24 shows an example of a processing flow 
of the tunnel control section. First, the tunnel control sec- 
tion deletes the infomiatlon in the route table 337 that 
has been set to the network kernel 323 and the corre- 
sponding Information In the information table 336 based 
on the information of the VPN information instance 
(8226). Next, the tunnel control section sets the output 
destination of the route table at the destination address 
set in the VPN information profile of the VPN information 
instance to a virtual device (S227). Further, the tunnel 
control section sets the tunnel information instance of 
the I P Sec. infomnation table 336 by referring to the VPN 
information profile of the VPN information instance 
(S228). 

[0102] At step 8229, the tunnel control section refers 
to the security type within the VPN infomnation profile of 
the VPN infonnation instance. When the ESP or the AH 
has been assigned, the process branches to step S230. 
When the ESP or the AH has not been assigned, the 
tunnel control section finishes the processing. At step 
8230, the tunnel control^section refers to the SPI within 
the VPN information profile of the VPN information in- 
stance. When the SPI is a user individual SPI. the proc- 
ess proceeds to step S231 . When the SPI Is a default 
SPI, the process proceeds to step 8232. It Is assumed 
that this default SPI has been set to MA in advance at 
the time of the initial structuring or from a local mainte- 
nance console of the MA. At step 8231 , the tunnel con- 
trol section sets the key infonnation relevant to the SPI 
of the VPN information profile of the VPN information 
Instance to the ESP information instance. At step 8232, 
the tunnel control section sets the ESP identifier to the 
IP Sec. infonnation instance. 

[0103] Various other embodiments of the present in- 
vention separate from the above-described first embod- 
iment vyill be explained below In order to further enhance 
the understanding of the operation of the present inven- 
tion, based on the items described above. 
[0104] Fig. 25 shows a second embodiment of the 
present invention. 

[0105] This shows an example of a setting of a VPN 
(when a VPN exists between a stationary HA and a CN) 
at the time of a move within the same domain . This sche- 
matically shows how a VPN is reconstructed when the 
MN 1 of a user has moved from the FA 21 of the roaming- 



contracted ISP 2 of the first embodiment to other FA 21 ' 
of the same roaming-contracted ISP 2 after a VPN has 
been set to the GW 51 of the enterprise domain. 
[0106] In Fig. 25. when the MN 1 of the user has 
5 moved from the FA 21 to a new FA 21* within the same 
domain, a registration request message (Reg Req) that 
includes the address of the old FA 21 is transmitted as 
prescribed in the mobile IP path optimization draft (draft- 
ietfmobilelp-optim-09) Q) ). The new FA 21' includes 
10 this registration request Into an authentication request 
message (AMR) (® ), and transmits this authentication 
request message (AM R) to the local AAA server (AAAF) 
. 23 within Its own ISP 2. When the authentication request 
message (AMR) includes the old FA 21, the AAAF 23 
15 extracts the VPN between the FA and the HA from the 
VPN Information cache, and substitutes the address of 
the FA 21 with the address of the new FA 21'. Then, the 
AAAF 23 retums to the new FA 21' an authentication 
response message (AM A) that is added with a profile of 
20 the VPN to be set to the FA ((g) ). 

[0107] The FA 21' transfers the registration request 
message (Reg Req) received from the MN 1 to the HA 
31 (@ ). The HA 31 specifies a VPN profile from the HA 
to the FA from the VPN information cache, and rewrites 
25 the address of the FA to the address of the new FA 21'. 
Next, the HA 31 deletes the IP Sec. tunnel to the old FA 
21 , and sets a new IP Sec. tunnel (1) to the new FA 21'. 
The HA 31 finishes a position registration processing, 
and then returns the registration response message 
30 (Reg Rep) to the FA 21 ' (® ). 

[0108] The FA 21' maps an assigned differentiated 
service by referring to the VPN infonnation cache, and 
then sets an IP Sec. tunnel (2) from the FA 21' to the HA 
31 . The FA 21 ' then sets the information for decoding a 
35 packet of an opposite-direction tunnel to the IP Sec. in- 
formation table. Further, the FA 21' copies the VPN in- 
formation cache, and rewrites the transmission'originat- 
ing GW address to the address of the old FA 21 and 
rewrites the destination GW address to the address of 
40 the new FA 21 '. Thereafter, the FA 21' adds this VPN 
information to the BU message, and transmits this mes- 
sage to the old FA 21 (® ). 

[0109] The old FA 21 caches the VPN information 
added to the BU message, deletes the IP Sec. tunnel 
^5 directed from the FA 21 to the HA 31 , and maps an as- 
signed differentiated service. Thereafter, the FA 21 sets 
an IP Sec. tunnel (3) at the smooth-hand-dff time from 
the old FA 21 to the new FA 21'. As a result, all the pack- 
ets addressed to the MN 1 and received by the old FA 
50 21 before the changeover of the IP Sec. to the new IP 
Sec. tunnel (1) tunnel by the HA 31 are transferred to 
the new FA 21' via this IP Sec. tunnel (3). The old FA 21 
returns the BA message to the MN after completing the 
setting of the IP Sec. tunnel (3) (© ). Based on this, the 
55 new FA 21' retums the registration response message 
(Reg Rep) to the MN 1 ((g) ). 

[0110] Fig. 26 shows a third embodiment of the 
present invention. 
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[0111] This shows an example of a setting of a VPN 
(when a VPN exists between a stationary HA and a CN) 
at the time of a move between different domains. This 
schematically shows how a VPN is reconstructed when 
the MN 1 of a user has moved from the FA 21 of the 
roaming-contracted ISP 2 of the first embodiment to oth- 
er FA 21' of a different roaming -contracted ISP 2' after 
a VPN has been set from the FA 21 to the GW 51 of the 
enterprise domain. 

[0112] In Fig. 26, when the MN 1 of the user has 
moved between different domains 2 and 2'. the user 
transmits a registration request (Reg Req) in a proce- 
dure similar to that of a normal Initial position registration 
as prescribed in the DIAMETER mobile expansion draft 
(draftietf-calhoun-diameter-mobileip-o8) (3) ). The FA 
21* of the move destination includes this registration re- 
quest into the authentication request message (AMR) 
((D ), and transmits this authentication request message 
(AMR) to the AAA (AAAH) 33 of the user home ISP via 
a local AAA server (AAAF) 22' within the own FA 21'. 
[0113] As the two VPNs including the VPN between 
the FA and the HA and the VPN between the HA and 
the enterprise GW have already been set to the VPN 
Information cache, the AAAH 33 rewrites the address of 
the FA of the VPN between the FA and the HA to the 
address of the new FA 21 '. Next, the AAAH 33 transmits 
to this HA 31 a position registration request message 
(HAR) added with the profiles of the two VPNs (@ ). The 
HA 31 updates the cache based on the VPN information 
added to the position registration request message 
(HAR), deletes the IP Sec. tunnel directed from the HA 
31 to the old FA 21 , and sets a new IP Sec. tunnel (1) 
to the new FA 21'. Then, after finishing the position reg- 
istration processing, the HA 31 returns the position reg- 
istration response message (HAA) to the AAAH (® ). In 
this case, the HA 31 returns the address infonmation of 
the old FA 21 as additional infonnation. 
[0114] Upon receiving the position registration re- 
sponse message (HAA). the AAAH 33 extracts the VPN 
between the FA and the HA from the VPN information 
cache, and transmits to an AAAF 23' an authentication 
response message (AMA) added with the VPN profile 
to be set to the FA (© ). The AAAF 23' caches the VPN 
information to within the AAAF in order to correspond to 
the move within the local domain of the MN 1 , and trans- 
fers this information to the FA 21'. The FA 21' caches 
the VPN information added to the authentication re- 
sponse message (AMA), maps an assigned differenti- 
ated service, and then sets an IP Sec. tunnel (2) from 
the FA 21" to the HA 31. Further, the FA 21' sets the 
Information for decoding a packet of an opposite-direc- 
tion tunnel to the IP Sec. information. 
[0115] Further, when the authentication response 
message (AMA) includes the old FA address, the FA 21' 
copies the VPN Information cache, and rewrites the 
transmission originating GW address to the address of 
the old FA 21 and rewrites the destination GW address 
to the address of the new FA 21 Thereafter, the FA 21 ' 



adds this VPN information to the BU message, and 
transmits this message to the old FA 21 (© ). The old 
FA 21 caches the VPN infomnation added to the BU 
message, deletes the IP Sec. tunnel directed from the 
5 FA 21 to the HA 31 , and maps an assigned differentiated 
service. Thereafter, the FA 21 sets an IP Sec. tunnel (3) 
at the hand-off time from this FA 21 to the new FA 21'. 
[0116] As a result, all the packets addressed to the 
MN 1 and received by the old FA 21 before the change- 
to over of the IP Sec. tunnel to the new IP Sec. tunnel (1 ) 
by the HA 31 are transferred to the new FA 21 ' via this 
IP Sec. tunnel (3). The FA 21 returns the BA message 
to the new FA 21' after completing the setting of the IP 
Sec. tunnel (3) (® ). Based on this, the new FA 21' re- 
15 turns the registration response message {Reg Rep) to 
the MN1 (fD). 

[01 17] According to the above-described second and 
third embodiments, a user who communicates with the 
enterprise via the ISP can receive the service of a VPN 
20 con-esponding to a mobile terminal provided by the ISP, 
without requiring the GW apparatus of the enterprise to 
have a specific function. 

[0118] Fig. 27 shows a fourth embodiment of the 
present invention. 

25 [0119] This shows an example of a setting of a VPN 
(when a PCN exists) at the time of an initial position reg- 
istration. This schematically shows an example of a set- 
ting of a VPN when a roaming-contracted ISP of a com- 
munication destination has a VPN and a GW (PCN) to 

30 which a VPN can be set dynamically. The ISP that has 
a VPNGW to which a VPN can be set dynamically reg- 
isters a domain address of the ISP and a GW apparatus 
address in the CN-GW correspondence table of each 
provider at the time of making the roaming contract be- 

35 tween ISPs, thereby making it possible to dynamteally 
set a VPN by type of GW. 

[0120] In Fig. 27, a user joining any one ISP among 
the roam-contracted ISPs connects to a near access 
point, and transmits a position registration request (Reg 

40 Req) of the mobile IP from this MN 1 j3) )• The FA21 
includes this registration request in an authentication re- 
quest message (AMR), and transmits this authentica- 
tion request message to the AAA (AAAH) 33 of the home 
ISP 3 of the user via the local AAA sever (AAAF) 23 

45 within the own ISP J®). 

[01 21 ] The AAAH searches the VPN database 34 by 
the NAI Included in the authentication request message 
(AMR), and extracts the VPN information own to this us- 
er. When an address assigned as a user communication 

so destination in the VPN database 34 is within the roam- 
ing-contracted ISP 4. it can be known from the CN-GW 
address correspondence table that it is possible to dy- 
namically set a VPN. Therefore^ the AAAH sets a VPN 
of the GW (PCN) between the FA and the communica- 

55 tion ISP 4 to the VPN information cache. Next, the AAAH 
transmits a position registration request message 
(HAR) added with the profile of this VPN. to the HA 31 
(@ ). The HA 31 caches the VPN infonrjation added to 
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the position registration request message (HAR). After 
finishing the position registration processing, the HA 31 
can dynamically set a VPN by referring to a type of the 
GW of the communication destination GW 41 set to the 
VPN information. Therefore, the HA 31 transmits an MIP 
Binding update message BU added with this VPN infor- 
mation addressed to a communication terminal CN 42 
(@). 

[0122] A PCN 41 receives the BU transmitted to the 
CN 42 on behalf of the CN 42, and caches the VPN in- 
formation added to the BU. Th PCN 41 maps a differen- 
tiated service according to the posted VPN infomiatlon, 
and sets an IP Sec. tunnel (1) from the PCN 41 to the 
FA21 . Thereafter, the PCN 41 transmits an MIP Binding 
Acknowledge message BA to the HA31 {© ). When the 
HA 31 has received the BA, the HA 31 returns the po- 
sition registration response message (HAA) to the 
AAAH 33 (® ). Upon receiving the position registration 
response message (HAA), the AAAH 33 extracts a VPN 
of the GW (PCN) between the FA and the communica- 
tion destination ISP 4 from the VPN information cache. 
The AAAH 33 then transmits to the AAAF 23 an authen- 
tication response message (AiVlA) added with the VPN 
profile to be set to the FA 21 (© ). The AAAF 23 caches 
the VPN infonnation within the AAAF 23 to follow the 
move within the local domain of the MN 1 , and transfers 
this VPN information to the FA 21 . 
[0123] The FA 21 caches the VPN infonnation added 
to the authentication response message (AM A), and fur- 
ther maps an assigned differentiated service. Thereaf- 
ter, the FA 21 sets an IP Sec. tunnel (2) from the FA 21 
to the PCN 41. Further, the FA 21 sets the Information 
for decoding a packet of an opposite-direction tunnel to 
the IP Sec. information table. Thereafter, the FA 21 re- 
turns the registration response message (Reg Rep) to 
the MN (d) ). As a result, the user can carry out a VPN 
communication with an optional communication desti- 
nation within the roaming-contracted ISP group. 
[0124] Fig. 28 shows a fifth embodiment of the 
present invention. 

[0125] This shows an example of a setting of a VPN 
(when a PCN exists) at the time of a move within the 
same domain. This schematically shows how a VPN is 
reconstnjcted when the MN 1 of a user has moved from 
the FA 21 of the roaming -contracted ISP 2 of the fourth 
embodiment to other FA 21' of the same roaming-con- 
tracted ISP 2 after a VPN has been set from this FA 21 
to a PCN 41 of other optional roaming-contracted ISP 4. 
[0126] In Fig. 28, when the MN 1 of the user has 
moved from the FA 21 to the FA 21' within the same 
domain, a registration request message (Reg Req) that 
includes the address of the old FA 21 is transmitted as 
prescribed in the mobile IP path optimization draft (draft- 
ietfmobileip-optim-09) Q) ). The new FA 21' includes 
this registration request Into an authentication request 
message (AMR), and transmits this authentication re- 
quest message (AMR) to the local AAA server (AAAF) 
23 within its own ISP 2 (d) ). When the authentication 



request message (AMR) includes the old FA 21, the 
AAAF 23 extracts the VPN between the FA and the PCN 
from the VPN information cache, and substitutes the ad- 
dress of the FA 21 with the address of the new FA 21'. 
5 Then, the AAAF 23 returns to the new FA 21 ' an authen- 
tication response message (AMA) that is added with a 
profile of the VPN to be set to the FA ((§) ). 
[0127] The FA 21' transfers the registration request 
message (Reg Req) previously received from the MN 1 
10 to the HA 31 (@ ). The HA 31 specifies a VPN profile of 
the VPN utilized by this MN 1 from the VPN information 
cache, and rewrites the address of the FA to the address 
of the new FA 21'. In the present embodiment, the VPN 
has already been directly set to between the FA 21 and 
15 the PCN 41 . Therefore, the HA 31 posts this effect to 
the PCN 41 by the BU message «D ). Whether the BU 
message is to be t ransmined or not is determined based 
on whether the type of the communication destination 
GW of the VPN information cache is the one to which a 
20 VPN can be set dynamically or not. 

[0128] Next, the PCN 41 deletes the IP Sec. tunnel to 
the old FA 21 based on the reception of the BU, and sets 
a new IP Sec. tunnel (1) to the new FA 21'. Thereafter, 
the PCN 41 transmits the BA message to the HA 31 
25 ((D ). Based on the reception of the BA message, the 
HA 31 transmits the registration response message 
(Reg Rep) to the new FA 21 ' (® ). The new FA 21 ' maps 
an assigned differentiated service by refen-ing to the 
VPN infonnation cache, and then sets an IP Sec. tunnel 
30 (2) from the new FA 21 ' to the PCN 41 . The FA 21 ' then 
sets the information for decoding a packet of an oppo- 
site-direction tunnel to the IP Sec. information table. 
Further, the FA 21' copies the VPN information cache, 
and rewrites the transmission originating GW address 
35 to the address of the old FA 21 and rewrites the desti- 
nation GW address to the address of the new FA 21'. 
Thereafter the FA 21' adds this VPN information to the 
BU message, and transmits this message to the old FA 
21 (®). 

40 [0129] The old FA 21 caches the VPN information 
added to the BU message, deletes the IP Sec. tunnel 
directed from the old FA 21 to the PCN 41 , and maps 
an assigned differentiated service. Thereafter, the FA 21 
sets an IP Sec. tunnel (3) at the smooth-hand-off time 
45 from the old FA 21 to the new FA 21 As a result, all the 
packets addressed to the MN 1 from the PCN 41 and 
received by the FA 21 before the changeover of the IP 
Sec. tunnel to the new IP Sec. tunnel (1 ) are transferred 
to the new FA 21' via this IP Sec. tunnel (3). The old FA 
50 21 returns the BA message to the MN after completing 
the setting of the IP Sec. tunnel (3) (® ). Based on this, 
the new FA 21' returns the registration response mes- 
sage (Reg Rep) to the MN 1 (® '). 
[0130] Fig. 29 shows a sixth embodiment of the 
55 present invention. 

[0131] This shows an example of a setting of a VPN 
(when a PCN exists) at the time of a move between dif- 
ferent management domains. This schematically shows 
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how a VPN is reconstructed when the MN 1 of a user 
has moved from the FA 21 of the roanning-contracted 
ISP 2 of the fourth embodiment to other FA 2 V of a dif- 
ferent roaming-contracted ISP 2' after a VPN has been 
set from this FA 21 to a PCN 41 of other optional roam- 
ing-contracted ISP 4. 

[0132] In Fig. 29. when the MN 1 of the user has 
moved between different domains 2 and 2', the user 
transmits a registration request message (Reg Req) in 
a procedure similar to that of a normal initial position 
registration as prescribed in the DIAMETER mobile ex- 
pansion draft (drafl'ietf-calho'un-diameter-mobileip-o8) 
(3) ). The FA 2V of the move destination Includes this 
registration request message into the authentication re- 
quest message (Af^R). and transmits this authentica- 
tion request message (AMR) to the AAA (AAAH) 33 of 
the user home ISP via a local AAA server (AAAF) 23' 
within the own ISP (© ) As the VPN between the FA21 
and the PCN 41 has aUeddy been set to the VPN infor- 
mation cache, the AAAH 33 rewntes the address of this 
FA 21 to the address of the new FA 21'. Next, the AAAH 
33 transmits to this HA 31 a position registration request 
message (HAR) added with the profiles of this VPN 
((D). 

[0133] The HA 31 updates the cache based on the 
VPN Information added to the position registration re- 
quest message (HAR), and transmits the BU message 
to the PCN 41 (® ). Upon receiving the BU miessage, 
the PCN 41 deletes the IP Sec. tunnel to the old FA 21 , 
and sets a new IP Sec. tunnel (1) to the new FA 21'. 
Thereafter, the PCN 41 transmits the BA message to 
the HA 31 (©). Upon receiving the BA message, the 
HA 31 returns the position registration response mes- 
sage (HAA) to the AAAH 33 (© ). In this case, the HA 
31 retums the address infonmation of the old FA 21 as 
additional infomiation. 

[0134] Upon receiving the position registration re- 
sponse message (HAA), the AAAH 33 extracts the VPN 
between the FA and the HA from the VPN information 
cache, and transmits to an AAAF 23' an authentication 
response message (AMA) added with the VPN profile 
to be set to the FA (Q) ). The AAAF 23' caches the VPN 
Infomiatlon within the AAAF in order to correspond to 
the move within the local domain of the MN 1 , and trans- 
fers this Infonmatlon to the new FA 21 The new FA 21 ' 
caches the VPN information added to the authentication 
response message (AMA), maps an assigned differen- 
tiated service, and then sets an IP Sec. tunnel (2) from 
the FA 21* to the PCN 41 , Further, the FA 21' sets the 
infomiation for decoding a packet of an opposite-direc- 
tion tunnel to the IP Sec. information. 
[0135] When the authentication response message 
(AMA) includes the address of the old FA 21 like this 
case, the FA 21' copies the VPN infomnation cache, and 
rewrites the transmission originating GW address to the 
address of the old FA 21 and rewrites the destination 
GW address to the address of the new FA 21 '. Thereaf- 
ter, the FA 21 • adds this VPN infomnation to the BU mes- 



sage, and transmits this message to the old FA 21 (® ). 
The old FA 21 caches the VPN information added to the 
BU message, deletes the IP Sec. tunnel directed from 
tfie old FA 21 to the PCN 41 , and maps an assigned 
5 differentiated service. Thereafter, the FA 21 sets an IP 
Sec. tunnel (3) at the smooth-hand-off time from this FA 
21 to the new FA 21 '. 

[0136] As a result, all the packets addressed to the 
MN 1 from the PCN 41 and received by the old FA 21 

10 before the changeover of the IP Sec. tunnel are trans- 
ferred to the new FA 21' via this IP Sec. tunnel (3). The 
old FA 21 returns the BA message to the MN after com- 
pleting the setting of the IP Sec. tunnel (3) (© ). Based 
on this, the new FA 21 ' returns the registration response 

15 message (Reg Rep) to the MN 1 (d) '). As shown in the 
fifth and sixth embodiments, according to the present 
invention, a user who is a member of the roaming-con- 
. tract ISP group can set a VPN with any optional com- 
munication destination within this group. Further, this 

20 user can move freely within this group with the VPN un- 
changed. 

[0137] Fig. 30 shows a seventh embodiment of the 

present invention. 

[0138] This shows an example of a setting of a VPN 
25 between optional temnlnals assigned by the user. While 
the above-explained examples are for setting a VPN to 
a specific communication destination assigned by the 
user, it is also possible for the user to dynamically set a 
VPN to a communication destination. The present em- 

30 bodiment shows an example of case where the user 
sets a VPN to a communication destination other than 
the communication destination that has been assigned 
by the user when the contract was made. 
[0139] A user who wants a change of a VPN setting 

35 destination makes access to a home page of a VPN 
service customize provided by a home ISP 3 of the user. 
The user sets an address of a communication destina- 
tion through this home page. A WEB application 36 
linked with this home page changes the VPN infomaa- 

40 tion of the user in a VPN database 34 to the information 
assigned by the user © ). When the customizing has 
been finished, the MN 1 of the user transmits a position 
registration request message (Reg Req) added with a 
service update request to an FA 21 to which the user is 

45 currently connected (® )• Upon receiving the registra- 
tion request added with the service update request, the 
FA 21 includes this registration request Into an authen- 
tication request message (AMR), and transmits this au- 
thentication request message (AMR) to an AAA (AAAH) 

so 33 of the user home ISP via a local AAA server (AAAF) 
23 within the own ISP (@ ). 

[0140] The AAAH 33 receives the message added 
with the service update request regardless of whether 
the VPN Information cache already exists or not, and 
55 searches a VPN database 34 with an NAl included in 
the authentication request message (AMR), and ex- 
tracts the VPN information to this user. When the ad- 
dress assigned as the user communication destination 
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in the VPN database 34 is within the roaming-contracted 
ISP. it can be known from , a CN-GW address corre- 
spondence table that a VPN can be dynamically set to 
this communication destination. Therefore, according to 
the present embodiment, the AAAH 33 sets a VPN for 
a GW (PCN) 41' between the FA 21 and the communi- 
cation destination ISP in the VPN information cache. 
Then, the AAAH 33 transmits to the HA 31 a position 
registration request message (HAR) added with the pro- 
file of this VPN ® ). 

[0141] The HA 31 caches the VPN information added 
to the position registration request message (HAR). Af- 
ter finishing the position registration processing, the HA 
31 can dynamically set a VPN by referring to a type of 
the GW of the communication destination GW 41' set to 
the VPN information. Therefore, the HA 31 transmits an 
MIP Binding update message BU added with this VPN 
infomiation addressed to a communication terminal CN 
42' ((D). 

[0142] The PCN 41' receives the BU transmitted to 
the CN 42" on behalf of the CN 42', and caches the VPN 
information added to the BU message. Th PCN 41' 
maps a differentiated service according to the posted 
VPN infonrjation, and sets an IP Sec. tunnel (1 ) from the 
PCN 41 ' to the FA 21 . Thereafter, the PCN 41' transmits 
an MIP Binding Acknowledge message BA to the HA 31 
((D). 

[0143] When the HA 31 has received the BA mes- 
sage, the HA 31 returns the position registration re- 
sponse message (HAA) to the AAAH 33 (® ). Upon re- 
ceiving the position registration response message 
(HAA), the AAAH 33 extracts a VPN of the GW (PCN) 
41' between the FA 21 and the communication destina- 
tion ISP from the VPN information cache. The AAAH 33 
then transmits to the AAAF 23 an authentication re- 
sponse message (AMA) added with the VPN profile to 
be set to the FA 21 (d) ). The AAAF 23 caches the VPN 
infonnation to within the AAAF 23 to follow the move 
• within the local domain of the MN 1 , and transfers this 
VPN information to the FA 21 . 

[0144] The FA 21 caches the VPN information added 
to the authentication response message (AMA), and fur- 
ther maps- an assigned differentiated service. Thereaf- 
ter, the FA 21 sets an IP Sec. tunnel (2) from the FA 21 
to the PCN 41*. Further the FA 21 sets the information 
for decoding a packet of an opposite -direct ion tunnel to 
the IP Sec. Information table. Thereafter, the FA 21 re- 
turns the registration response message (Reg Rep) to 
the MN ((§) ). When a VPN that has been set before the 
change of the VPN exists, the PCN 41 transmits a Bind- 
ing request message BR to the HA 31 that has posted 
this VPN information and asks whether the VPN can be 
deleted or not, when the remaining lifetime has become 
less than a threshold value ((D ). 
[0145] Upon receiving this BR message, the HA 31 
searches a VPN information cache from the Information 
of the MN 1 that has been set to this message, and 
checks whether the VPN relating to this PCN 41 still ex- 



ists in the cache. When this VPN has still been cached, 
the HA 31 transmits a BU message to the PCN 41 . When 
the VPN has not been cached, the HA 31 transmits no 
BU message to the PCN 41 . In the present example, the 

5 PCN 41 deletes an existing VPN as no BU can be re- 
ceived until the completion of the lifetime. As explained 
above, the user can also dynamically assign a VPN set- 
ting destination. In the present embodiment, an example 
of assigning a VPN setting destination only through the 

10 WEB has been shown. However, the gist of the present 
invention Is the distribution of the VPN information to an 
assigned setting destination and the setting/releasing 
means of this VPN infonnation under a mobile environ- 
ment. There are various methods of assigning a com- 

'5 munication destination and means for reflecting them to 
the VPN database 34. For example, there are various 
applications such as a dialing of a VPN code with a com- 
munication destination using a portable telephone, and 
a one-click setting of a VPN from a communication serv- 

^0 er, etc. 

[01 46] As explained above, the present Invention has 
the following effects. 
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1 ) It Is possible to provide a VPN setting service to 
between optional temiinals without requiring an MN 
and a CN to have a specific VPN function. This Is 
achieved by dynamically setting a VPN of the IP 
Sec. to a security gateway of temninals participating 
in communications, to a public IP network, linked 
with a position registration procedure In the mobile 
IP. 

2) It is possible to set a VPN with the service quality, 
the security level, and the route, assigned by users 
based on a free combination. 

3) It is possible to automatically update a VPN path 
along with a move of an MN. 



Claims 
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1. A server apparatus provided In a home network of 
an IP network using a protocol that automates the 
management of an IP address and the transfer of a 
communication packet to a move destination when 
^5 a terminal has moved between networks on the IP 
network, the server apparatus comprising: 

memory means that stores infonnation for con- 
structing a safe communication path within an 
IP network in relation to the terminal; and 
distribution means that distributes the informa- 
tion to construct a safe communication path be- 
tween the terminal within an external network 
of a move destination and the other terminal 
with whom the temiinal communicates. 



55 



2. The server apparatus according to Claim 1 , wherein 
the distribution means transfers the informa- 
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■ formation With position intomiation linked with 

"''r TaratusanSe external networkappa- 
''ITemeen the home network apparatus 
Td the Teitermined network apparatus^ 
Tn^betweentheexternal network apparatus 

H L nredetemiined network apparatus, to a 
andthepreaeieiiM.i ...pcf^ respect >/e- 
new VPN path based on the IP Sec. respec 

ly 

The VPN system according to Cl^^m 6, wherein the 
home authentication sen,er.ncludes. 

«n AAAVPN control section that specifies a 

;rirra;^.;--— ; 

r»ir.ppa-a.ec.m-o.*9acon™™.- 

message to the home network, as setv.c p 
files. 

The VPN system according to Claim 6. wherein 
each network apparatus includes: 

»:rs,Tair.Tor"r^ 

reVPNrr*nhae.eens«P,..*.n9; 

the security gateways accordingto the setvic 
profile. 

" the transfer of a communication P^'=^^^^°^ 

thenticationseiver comprising: 

o„« that extracts safety path infomnation 
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when the mobile terminal has made a position 
registration request; and 
safety path construction instruction means that 
instructs a network apparatus accommodating 
the mobile terminal to construct a safe commu- 
nication path between this network apparatus 
and a network apparatus accommodating the 
other lenminai as a communication destination, 
based on the extracted safety path infonnation. 

11. The external authentication server according to 
Claim 10, wherein 

the safe communication path is a communica- 
tion path realized by a virtual private network, 
and the salcty path information includes set 
path information and security infonnation of the 
virtual private network. 

12. The external aulhenlicalion server according to 
Claim 11, wherein 

the safe communication path is a VPN path ac- 
cording to the IP Sec. 

13. A network apparatus for accommodating a mobile 
terminal in an IP network using a protocol that au- 
tomates the management of an IP address and the 
transfer of a communication packet to a move des- 
tination when a tenninal has moved between net- 
works on the IP network, the network apparatus 
comprising: 

means that receives a safety path construction 
instruction based on safety path information 
corresponding to a user included in a response 
message from a home authentication server 
when the mobile terminal has made a position 
registration request; and 
safety path construction means that constructs 
a safe communication path between this net- 
work apparatus and a network apparatus ac- 
commodating the other terminal as a commu- 
nication destination, based on the received 
safety path construction information. 

14. The network apparatus according to Claim 13, 
wherein 

the safe communication path is a communica- 
tion path realized by a virtual private network, 
and the safety path infonnation includes set 
path infomnation and security information of the 
virtual private network. 

15. The network apparatus according to Claim 14, 
wherein 
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the safe communication path is a VPN path ac- 
cording to the IP Sec, 

IS. A VPN setting method in a mobile IP network com- 
prising the steps: 

that a user network apparatus sets VPN path 
by a stationary IP Sec. tunnel directed from the 
user network apparatus to its home agent; 
that a user mobile tenninal transmits a position 
registration request message to a foreign 
agent; 

that the foreign agent transmits an authentica- 
tion request message including the received 
position registration request infonnation to a 
user home authentication server via a local au- 
thentication server of the foreign agent; 
that, based on the received authentication re- 
quest message, the home authentication serv- 
, er refers to its own database and extracts a 
communication destination host, a type of the 
network apparatus, and security service infor- 
mation by users, caches the VPN information 
between the foreign agent and the home agent 
and between the user network apparatus and 
the home agent, and transmits the position reg- 
istration request message including this infor- 
mation to the home agent; 
that the home agent caches the received posi- 
tion registration request message, sets the as- 
signed security service, sets a VPN path by an 
IP Sec. tunnel directed from the home agent to 
the user network apparatus as a communica- 
tion destination host and -to the foreign agent 
respectively, and transmits a position registra- 
tion response message to the home authenti- 
cation server after finishing the position regis- 
tration processing; 

that, based on the reception of the position reg- 
istration response message, the home authen- 
tication server transmits the authentication re- 
sponse message added with the cached VPN 
infonnation between the foreign agent and the 
home agent, to a local authentication server of 
the foreign agent; 

that the local authentication server transmits 
the received authentication response message 
to the foreign agent after caching the VPN in- 
formation between the home agent and the for- 
eign agent; and 

that the foreign agent caches the VPN informa- 
tion included in the received authentication re- 
sponse message, sets the assigned security 
service, sets a VPN path by an IP Sec. tunnel 
directed from the foreign agent to the home 
agent, and then returns the position registration 
response message to the user mobile terminal. 
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1 7. The VPN setting method according to Claim 1 6, fur- 
thercomprising the steps: 

that the user mobile terminal moves to an area 
of a new foreign agent within the same network, 5 
and transmits from there a position registration 
request message including position information 
of the old foreign agent; 
that the new foreign agent transmits an authen- 
tication request message including the re- io 
ceived position registration request Information 
to the local authentication server; 
that the local authentication server rewrites the 
foreign agent infonnation of the cached VPN in- 
formation between the foreign agent and the ^5 
home agent to the information of the new for- 
eign agent, and transmits an authentication re- 
sponse message including this information to 
the new foreign agent; 

that the new foreign agent transfers the re- 20 
ceived position registration request message to 

the home agent; 

that, based on the received position registration 
request infomnation, the home agent rewrites 
the foreign agent information of the cached 2S 
VPN Information between the foreign agent and 
the home agent to the information of the new 
foreign agent, deletes the VPN path directed 
from the home agent to the old foreign agent, 
sets a VPN path by an IP Sec. tunnel directed 3( 
from the home agent set with the assigned se- 
curity service to the new foreign agent, and 
transmits a position registration response mes- ■ 
sage to the new foreign agent afterfinishlngthe 
position registration processing; and ^ 
that the new foreign agent caches the VPN in- 
fonnation included in the received position reg- 
istration response message, sets the assigned 
security service, sets a VPN path by an IP Sec. 
tunnel directed from the new foreign agent to 4 
the home agent, and then returns the position 
registration response message to the user mo- 
bile tenninal. 

18. The VPN setting method according to Claim 1 6, fur- ^ 
ther comprising the steps: 

that the user mobile terminal moves to an area 
of a new foreign agent within a different net- 
work, and transmits from there a position reg- ^ 
istration request message Including position In- 
formation of the old foreign agent; 
that the new foreign agent transmits an authen- 
tication request message including the re- 
ceived position registration request information - 
to the home authentication server of the user 
via a local authentication server of the new for- 
eign agent; 



that the home authentication server rewrites 
the foreign agent infonnation of the cached 
VPN infonmation between the foreign agent and 
the home agent to the Information of the new 
foreign agent, and transmits the position regis- 
tration request message including this Infomna- 
tion to the home agent; 

that, based on the received position registration 
request information, the home agent updates 
the cached VPN infonnation, deletes the VPN 
path directed from the home agent to the old 
foreign agent, sets a VPN path by an IP Sec. 
tunnel directed from the home agent set with 
the assigned security service to the new foreign 
agent, and transmits a position registration re- 
sponse message to the home authentication 
server after finishing the position registration 
processing; 

that, based on the reception of the position reg- 
istration response message, the home authen- 
tication sen/er transmits the authentication re- 
sponse message added with the cached VPN 
information between the foreign agent and the 
home agent, to a local authentication server of 
the new foreign agent; 

that the local authentication sen/er transmits 
the received authentication response message 
to the new foreign agent after updating the 
cached VPN information; and 
. that the new foreign agent caches the VPN in- 
formation included in the received authentica- 
tion response message, sets the assigned se- 
curity service, sets a VPN path by an IP Sec. 
tunnel directed from the new foreign agent to 
the home agent, and then returns the position 
registration response message to the user mo- 
bile tenninal. 

I. A VPN setting method in a mobile IP network com- 
prising the steps: 

that a user mobile tenninal transmits a position 
registration request message from the user mo- 
bile tenninal to a foreign agent; 
that the foreign agent transmits an authentica- 
tion request message including the received 
position registration request infonmation to a 
user home authentication server via a local au- 
thentication server of the foreign agent; 
that, based on the received authentication re- 
quest message, the home authentication serv- 
er refers to its own database and extracts a 
communication destination host, a type of the 
networic apparatus, and security service infor- 
mation by users, sets a VPN between the for- 
eign agent and the communication destination 
networi< apparatus to a VPN cache when the 
type of the network apparatus is a one to which 
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a VPN can be set dynamically, and transmits 
the position registration request message in- 
cluding this information to the home agent; 
that the home agent caches the received posi- 
tion registration request message, and trans- 5 
mits a binding update message added with this 
VPN information to the communication destina- 
tion host after finishing the position registration 
processing, when the type of the network ap- 
paratus is a one to which a VPN can be set dy- io 
namically; 

thai the network apparatus receives the binding 
update message on behalf of the communica- 
tion destination host, caches the VPN infonna- 
lion added to this message, sets the assigned 
security service, sets a VPN path by an IP Sec. 
lunnci directed from the network apparatus to 
the foreign agent, and thereafter transmits a 
binding auinorizaiion message to the home 
agent. 20 
that, upon receiving the binding authohzation 
message, the home agent transmits a position 
registration response message to the home au- 
thentication server; 

that, based on the reception of the position reg- 25 
islration response message, the home authen- 
tication server transmits the authentication re- 
sponse message added with the cached VPN 
information between the foreign agent and the 
network apparatus, to a local authentication 30 
server of the foreign agent; 
that the local authentication sender transmits 
the received authentication response message 
to the foreign agent after caching the VPN in- 
fonnation added to this message; and 35 
that the foreign agent caches the VPN infomna- 
tion included in the received authentication re- 
sponse message, sets the assigned security 
service, sets a VPN path by an IP Sec. tunnel 
directed from the foreign agent to the network 40 
apparatus, and then returns the position regis- 
tration response message to the user mobile 
tenninal. 

The VPN sening method according to Claim 1 9, fur- 45 
ther comprising the steps: 

that the user mobile terminal moves to an area 
of a new foreign agent within the same network, 
and transmits from there a position registration so 
request message including position information 
of the old foreign agent; 
that the new foreign agent transmits an authen- 
tication request message including the re- 
ceived position registration request information 55 
to the local authentication server; 
that the local authentication server rewrites the 
foreign agent information of the cached VPN in- 



formation between the foreign agent and the 
network apparatus to the information of the new 
foreign agent, and transmits an authentication 
response message including this infomiation to 
the new foreign agent; 

that the new foreign agent transfers the re- 
ceived position registration request message to 
the home agent; 

that, based on the received position registration 
request information, the home agent rewrites 
the foreign agent information of the cached 
VPN infonmation between the foreign agent and 
the network apparatus to the information of the 
new foreign agent, and transmits a binding up- 
date message added with this VPN information 
to the communication destination host, when 
the type of the network apparatus is a one to 
which a VPN can be set dynamically; 
that, based on the received binding update 
message, the network apparatus updates the 
cached VPN information, deletes the VPN path 
directed from the network apparatus to the old 
foreign agent, sets a VPN path by an IP Sec. 
tunnel directed from the. network apparatus set 
with the assigned security service to the new 
foreign agent, and thereafter transmits a cou- 
pling authorization message to the home agent; 
that, upon receiving the binding authorization 
message, the home agent transmits a position 
registration response message to the new for- 
eign agent; and 

that the new foreign agent caches the VPN in- 
formation included in the received position reg- 
istration response message, sets the assigned 
security service, sets a VPN path by an IP Sec. 
tunnel directed from the new foreign agent to 
the network apparatus, and then retums the po- 
sition registration response message to the us- 
er mobile terminal. 

21. The VPN setting method according to Claim 19, fur- 
ther comprising the steps: 

that the user mobile tenninal moves to an area 
of a new foreign agent within a different net- 
work, and transmits from there a position reg- 
istration request message including position in- 
formation of the old foreign agent; 
that the new foreign agent transmits an authen- 
tication request message including the re- 
ceived position registration request information 
to the home authentication server of the user 
via a local authentication server of the new for- 
eign agent; 

that the home authentication server rewrites 
the foreign agent information of the cached 
VPN information between the foreign agent and 
the home agent to the infomiation of the new 
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foreign agent, and transmits the position regis- 
tration request message including this informa- 
tion to the honne agent; 
that, based on the received position registration 
request infornnatlon, the home agent updates 5 
the cached VPN infonnation, and transmits a 
binding update message added with this VPN 
information to the communication destination 
host when the type of the network apparatus is 
a one to which a VPN can be set dynamically; io 
that, based on the received binding update 
message, the network apparatus updates the 
cached VPN information, deletes the VPN path 
directed from the network apparatus to the old 
foreign agent, sets a VPN path by an IP Sec, »5 
tunnel directed from the network apparatus set 
with the assigned security service to the new 
foreign agent, and thereafter transmits a bind- 
ing authorization message to the home agent; 
that, upon receiving the binding authorization 20 
message, the home agent transmits a position 
registration response message to the new for- 
eign agent; 

that, based on the reception of the position reg- 
istration response message, the home authen- 2£ 
tication server transmits the authentication re- 
sponse message added with the cached VPN 
Information between the foreign agent and the 
network apparatus, to a local authentication 
server of the new foreign agent; ^' 
that the local authentication sen/er transmits 
the received authentication response message 
to the new foreign agent after caching the VPN 
information added to this message; and 
that the new foreign agent caches the VPN in- 3. 
formation included In the received position reg- 
istration response message, sets the assigned 
security service, sets a VPN path by an IP Sec. 
tunnel directed from the new foreign agent to 
the network apparatus, andthen returns the po- 4 
sition registration response message to the us- 
er mobile terminal. 

22. The VPN setting method according to Claim 17 or 
20, further comprising the steps: 

that the new foreign agent copies the cached 
VPN infonnation, and transmits a binding up- 
date message added with the VPN information 
with the transmission origin rewritten to the old i 
foreign agent and with the transmission desti- 
nation rewritten to the new foreign agent, to the 
old foreign agent; and 

that, the old foreign agent caches the VPN in- 
formation of the received binding update mes- 
sage, deletes the VPN path directed from the 
old foreign agent to the home agent, sets a VPN 
path by an IP Sec. tunnel directed from the old 



foreign agent set with the assigned security 
service to the new foreign agent, and thereafter 
transmits a coupling authorization message to 
the new foreign agent. 

23. The VPN setting method according to Claim 18 or 
21 , further comprising the steps: 

that the new foreign agent copies the cached 
VPN information when the authentication re- 
sponse message includes the infomiation of 
the old foreign agent, and transmits a binding 
update message added with the VPN informa- 
tion with the transmission origin rewritten to the 
old foreign agent and with the transmission 
destination rewritten to the new foreign agent, 
to the old foreign agent; and 
that, the old foreign agent caches the VPN In- 
formation of the received coupling update mes- 
sage, deletes the VPN path directed from the 
old foreign agent to the home agent, sets a V PN 
path by an IP Sec. tunnel directed from the old 
foreign agent set with the assigned security 
service to the new foreign agent, and thereafter 
transmits a couplirig authorization message to 
the new foreign agent. 

24. The VPN setting method according to Claim 1 9, fur- 
ther comprising the steps: 

that the user customizes the user VPN informa- 
tion by making access to a database of the 
home authentication server by predetermined 
communication means, and thereby changes 
the communication destination to a network ap- 
paratus of the type of the network apparatus to 
which a VPN can be set dynamically; and 
the user mobile temninal transmits a position 
registration request message added with a 
service update request, to a foreign agent. 

25. The VPN setting method according to Claim 24, fur- 
ther comprising the steps: 

that the network apparatus measures a lifetime 
of a communication host under its manage- 
ment, transmits a binding request message to 
the home agent that has posted the VPN Infor- 
mation when the remaining lifetime has be- 
come less than a predetermined threshold val- 
ue, and deletes the VPN information when the 
binding update message has not been re- 
ceived; and 

the home agent retrieves the cached VPN In- 
formation from the user mobile terminal infor- 
mation included in the received binding request 
message, transmits a binding update message 
when the infonnation of the network apparatus 
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exists, and leaves it as it is when the informa- 
tion of the network apparatus does not exist. 
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